Merge branch 'dev'

go.mod

@@ -15,7 +15,7 @@ require (
  github.com/jfrog/build-info-go v1.9.12
  github.com/jfrog/gofrog v1.3.0
  github.com/jfrog/jfrog-apps-config v1.0.1
- github.com/jfrog/jfrog-client-go v1.34.1
+ github.com/jfrog/jfrog-client-go v1.34.2
  github.com/magiconair/properties v1.8.7
  github.com/manifoldco/promptui v0.9.0
  github.com/owenrumney/go-sarif/v2 v2.2.2
@@ -24,6 +24,7 @@ require (
  github.com/stretchr/testify v1.8.4
  github.com/urfave/cli v1.22.14
  github.com/vbauerster/mpb/v7 v7.5.3
+ github.com/wagoodman/dive v0.11.0
  golang.org/x/exp v0.0.0-20230905200255-921286631fa9
  golang.org/x/mod v0.12.0
  golang.org/x/sync v0.3.0
@@ -42,16 +43,28 @@ require (
  github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
  github.com/acomagu/bufpipe v1.0.4 // indirect
  github.com/andybalholm/brotli v1.0.1 // indirect
+ github.com/awesome-gocui/gocui v1.1.0 // indirect
+ github.com/cespare/xxhash v1.1.0 // indirect
  github.com/cloudflare/circl v1.3.3 // indirect
  github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
  github.com/cyphar/filepath-securejoin v0.2.4 // indirect
  github.com/davecgh/go-spew v1.1.1 // indirect
+ github.com/docker/cli v24.0.5+incompatible // indirect
+ github.com/docker/distribution v2.8.2+incompatible // indirect
+ github.com/docker/docker v24.0.2+incompatible // indirect
+ github.com/docker/go-connections v0.4.0 // indirect
+ github.com/docker/go-units v0.4.0 // indirect
  github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
+ github.com/dustin/go-humanize v1.0.0 // indirect
  github.com/emirpasic/gods v1.18.1 // indirect
+ github.com/fatih/color v1.13.0 // indirect
  github.com/fsnotify/fsnotify v1.6.0 // indirect
+ github.com/gdamore/encoding v1.0.0 // indirect
+ github.com/gdamore/tcell/v2 v2.4.0 // indirect
  github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
  github.com/go-git/go-billy/v5 v5.5.0 // indirect
  github.com/go-git/go-git/v5 v5.9.0 // indirect
+ github.com/gogo/protobuf v1.3.2 // indirect
  github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
  github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
  github.com/golang/snappy v0.0.2 // indirect
@@ -61,6 +74,8 @@ require (
  github.com/klauspost/compress v1.11.4 // indirect
  github.com/klauspost/cpuid/v2 v2.2.3 // indirect
  github.com/klauspost/pgzip v1.2.5 // indirect
+ github.com/logrusorgru/aurora v0.0.0-20190803045625-94edacc10f9b // indirect
+ github.com/lucasb-eyer/go-colorful v1.0.3 // indirect
  github.com/mattn/go-colorable v0.1.12 // indirect
  github.com/mattn/go-isatty v0.0.14 // indirect
  github.com/mattn/go-runewidth v0.0.13 // indirect
@@ -69,14 +84,19 @@ require (
  github.com/minio/sha256-simd v1.0.1 // indirect
  github.com/mitchellh/mapstructure v1.5.0 // indirect
  github.com/nwaples/rardecode v1.1.0 // indirect
+ github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
+ github.com/opencontainers/image-spec v1.0.2 // indirect
  github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+ github.com/phayes/permbits v0.0.0-20190612203442-39d7c581d2ee // indirect
  github.com/pierrec/lz4/v4 v4.1.2 // indirect
  github.com/pjbgf/sha1cd v0.3.0 // indirect
+ github.com/pkg/errors v0.9.1 // indirect
  github.com/pkg/term v1.1.0 // indirect
  github.com/pmezard/go-difflib v1.0.0 // indirect
  github.com/rivo/uniseg v0.4.3 // indirect
  github.com/russross/blackfriday/v2 v2.1.0 // indirect
  github.com/sergi/go-diff v1.1.0 // indirect
+ github.com/sirupsen/logrus v1.9.0 // indirect
  github.com/skeema/knownhosts v1.2.0 // indirect
  github.com/spf13/afero v1.9.5 // indirect
  github.com/spf13/cast v1.5.1 // indirect

xray/commands/scan/buildscan.go

@@ -4,7 +4,6 @@ import (
  "errors"
  rtutils "github.com/jfrog/jfrog-cli-core/v2/artifactory/utils"
  "github.com/jfrog/jfrog-cli-core/v2/utils/config"
- "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
  xrutils "github.com/jfrog/jfrog-cli-core/v2/xray/utils"
  clientutils "github.com/jfrog/jfrog-client-go/utils"
  "github.com/jfrog/jfrog-client-go/utils/log"
@@ -72,7 +71,7 @@ func (bsc *BuildScanCommand) SetRescan(rescan bool) *BuildScanCommand {
 
 // Scan published builds with Xray
 func (bsc *BuildScanCommand) Run() (err error) {
- xrayManager, xrayVersion, err := utils.CreateXrayServiceManagerAndGetVersion(bsc.serverDetails)
+ xrayManager, xrayVersion, err := xrutils.CreateXrayServiceManagerAndGetVersion(bsc.serverDetails)
  if err != nil {
  return err
  }

xray/commands/scan/dockerscan.go

@@ -9,6 +9,7 @@ import (
  "github.com/jfrog/jfrog-client-go/utils/errorutils"
  "github.com/jfrog/jfrog-client-go/utils/io/fileutils"
  "github.com/jfrog/jfrog-client-go/utils/log"
+ "github.com/wagoodman/dive/dive"
  "os"
  "os/exec"
  "path/filepath"
@@ -18,12 +19,17 @@ import (
 const (
  indexerEnvPrefix = "JFROG_INDEXER_"
  DockerScanMinXrayVersion = "3.40.0"
+ layerDigestPrefix = "sha256:"
+ // Suffix added while analyzing docker layers, remove it for better readability.
+ buildKitSuffix = " # buildkit"
 )
 
 type DockerScanCommand struct {
  ScanCommand
  imageTag string
  targetRepoPath string
+ // Maps layer hash to dockerfile command
+ dockerfileCommandsMapping map[string]string
 }
 
 func NewDockerScanCommand() *DockerScanCommand {
@@ -40,6 +46,7 @@ func (dsc *DockerScanCommand) SetTargetRepoPath(repoPath string) *DockerScanComm
  return dsc
 }
 
+// DockerScan scan will save a docker image as .tar file and will prefore binary scan on it.
 func (dsc *DockerScanCommand) Run() (err error) {
  // Validate Xray minimum version
  _, xrayVersion, err := xrayutils.CreateXrayServiceManagerAndGetVersion(dsc.ScanCommand.serverDetails)
@@ -68,21 +75,26 @@ func (dsc *DockerScanCommand) Run() (err error) {
  }
  log.Info("Creating image archive...")
  imageTarPath := filepath.Join(tempDirPath, "image.tar")
+
  dockerSaveCmd := exec.Command("docker", "save", dsc.imageTag, "-o", imageTarPath)
  var stderr bytes.Buffer
  dockerSaveCmd.Stderr = &stderr
- err = dockerSaveCmd.Run()
- if err != nil {
+ if err = dockerSaveCmd.Run(); err != nil {
  return fmt.Errorf("failed running command: '%s' with error: %s - %s", strings.Join(dockerSaveCmd.Args, " "), err.Error(), stderr.String())
  }
 
+ // Map layers sha256 checksum names to dockerfile line commands
+ if err = dsc.mapDockerLayerToCommand(); err != nil {
+ return
+ }
+
  // Perform scan on image.tar
  dsc.SetSpec(spec.NewBuilder().
  Pattern(imageTarPath).
  Target(dsc.targetRepoPath).
  BuildSpec()).SetThreads(1)
- err = dsc.setCredentialEnvsForIndexerApp()
- if err != nil {
+
+ if err = dsc.setCredentialEnvsForIndexerApp(); err != nil {
  return errorutils.CheckError(err)
  }
  defer func() {
@@ -91,7 +103,56 @@ func (dsc *DockerScanCommand) Run() (err error) {
  err = errorutils.CheckError(e)
  }
  }()
- return dsc.ScanCommand.Run()
+ // Preform binary scan.
+ extendedScanResults, cleanup, scanErrors, err := dsc.ScanCommand.binaryScan()
+ if cleanup != nil {
+ defer cleanup()
+ }
+ if err != nil {
+ return
+ }
+
+ // Print results with docker commands mapping.
+ err = xrayutils.NewResultsWriter(extendedScanResults).
+ SetOutputFormat(dsc.outputFormat).
+ SetIncludeVulnerabilities(dsc.includeVulnerabilities).
+ SetIncludeLicenses(dsc.includeLicenses).
+ SetPrintExtendedTable(dsc.printExtendedTable).
+ SetIsMultipleRootProject(true).
+ SetDockerCommandsMapping(dsc.dockerfileCommandsMapping).
+ PrintScanResults()
+
+ return dsc.ScanCommand.handlePossibleErrors(extendedScanResults.XrayResults, scanErrors, err)
+}
+
+func (dsc *DockerScanCommand) mapDockerLayerToCommand() (err error) {
+ log.Debug("Mapping docker layers into commands...")
+ resolver, err := dive.GetImageResolver(dive.SourceDockerEngine)
+ if err != nil {
+ return errorutils.CheckErrorf("failed to map docker layers, is docker running on your machine? error message: %s", err.Error())
+ }
+ dockerImage, err := resolver.Fetch(dsc.imageTag)
+ if err != nil {
+ return
+ }
+ // Create mapping between sha256 hash to dockerfile Command.
+ layersMapping := make(map[string]string)
+ for _, layer := range dockerImage.Layers {
+ layerHash := strings.TrimPrefix(layer.Digest, layerDigestPrefix)
+ layersMapping[layerHash] = cleanDockerfileCommand(layer.Command)
+ }
+ dsc.dockerfileCommandsMapping = layersMapping
+ return
+}
+
+// DockerScan command could potentiality have double spaces,
+// Reconstruct the command with only one space between arguments.
+// Example: command from dive: "RUN apt-get install && apt-get install #builtkit".
+// Will resolve to a cleaner command RUN apt-get install && apt-get install
+func cleanDockerfileCommand(rawCommand string) string {
+ fields := strings.Fields(rawCommand)
+ command := strings.Join(fields, " ")
+ return strings.TrimSuffix(command, buildKitSuffix)
 }
 
 // When indexing RPM files inside the docker container, the indexer-app needs to connect to the Xray Server.